So, I've found an XSS vuln that I'd like to exploit via a CSRF vuln, but I'm having trouble with encoding in the CSRF.Right now my CSRF exploit is just a hidden html form that's auto submitted by javascript. The XSS payload requires double quotes, which breaks the HTML form. For example, the value with the payload would look something like this:

That obviously doesn't work because the quotes in the payload screw up the form. I can't URL encode the quotes because then they get double encoded and the payload won't execute. I've tried changing the enctype of the form to text/plain and multi-part/formdata but no luck. The CSRF vulnerable link will only take POST, not GET.

Any ideas on how to get around this? I was thinking it may be possible to dynamically construct an http POST request with Javascript to submit it, but I'm not sure how.

The actual tool is available via: http://www.exploit-db.com/sploits/evilwebtool.tar.gz where trojan.js contains the javascript payload. (Note that the python tool reads php code or the reverse php shell (from pentestmonkey) and parses it into the trojan file before serving it.

It took some clever encoding, but it works 100% (tested in FireFox) and has been used in a few demo's that I've made. Knowing JavaScript, HTML and attack vectors within these, including various encoding methods, will be sufficient to pull off any XSS attack even defeating Anti-CSRF tokens.

The trojan.js file bypasses the built-in CSRF protection in vBulletin as well. It's probably the best PoC that I have ever made hehe